www.bundesbrandschatzamt.de
Babblings about Systems Administration.

Teaching Linux Part 3

After a few sessions around Emacs I started to continue with Linux. Every process on an operating system must belong to somebody to define which privileges this process can have. Which means a very important task of the OS is the user management. In Linux the first entry point is /etc/nsswitch.conf provided by the glibc package. As everything builds on top of the Linux kernel and glibc you can see how important that part is. In the Name Service Switch config file you have multiple options to define where the OS should look for the users. If you run big networks you might use Network Information Service or LDAP. On most Linux systems you will rely on plain text files. It sounds old fashioned but remember: For every process which gets started the system has to do a lookup. Any latency will influence the complete computer. If you need some kind of centralization using a configuration management system like CFEngine or Puppet is a wise decision as you will have the best of both worlds: semi-central user management and no performance impact.

We have to distinguish between user authorization and authentication. The authorization is about what a user can do. Either by direct privileges or by belonging to a group of users. Giving a group the permissions is easier for the administrator.

/etc/passwd is the next step after nsswitch if you rely on files. Most privileges are about being able to access files and directories. The filesystem doesn’t know anything about users. Instead we have a user id (uid) and a group id (gid) stored with the files. The passwd files contains the uid and the primary gid for a user. Everybody on the system needs that information. For example if you list a directory you don’t want to see a uid but the username. Thus everybody requires permissions to read the passwd file. Wait a second: Everybody is allowed to read the passwd file? Your concern is right! That’s why we have nowadays another sibling of passwd called /etc/shadow. This file is only accessible for the root user and programs running with his privileges.

Of course a user might need more than one group. That’s why we have /etc/group containing a list of group members.

Above files are managed with either adduser or useradd depending on your flavour of Linux. Isn’t it nice that we have options? In theory you could as well directly edit those files or write your own programs to do it. If you ask me I wouldn’t do that. Some people spend a lot of time to write adduser, useradd, groupadd, usermod, groupmod, userdel and groupdel. Other people took the passion to review those programs. If you write you own incarnation you might break the system and nobody is able to login to that computer.

Most permisssions are about file access rights. In the unix world a file is primarily owned by a user and a group. And then we have all others. Depending on your file systems or extensions like SELinux there might be more. For now let’s keep it simple. A few bits contain the information of file and directory permissions. With ls -l and chmod you can see and modify them. Have a look in the man pages by running man chmod to learn more about it.

During our session we had the question about directory access. Here you have a real world example:

Among other information every file and directory contains a last modified timestamp. That last modified timestamp of the directory gets updated if content in that directory gets modified or a file in that same directory gets updated.

By now you should know how important the files in your /etc/ directory are. If you care about those files as much as i do you might want to configure something like etckeeper to keep track of changes.